697024 – (CVE-2015-5300) <net-misc/ntpsec-1.1.7-r1: outdated systemd unit file allows for (CVE-2015-5300)

Bug 697024 (CVE-2015-5300) - <net-misc/ntpsec-1.1.7-r1: outdated systemd unit file allows for (CVE-2015-5300)

Summary: <net-misc/ntpsec-1.1.7-r1: outdated systemd unit file allows for (CVE-2015-5300)

Status:	RESOLVED FIXED

Alias:	CVE-2015-5300

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://github.com/ntpsec/ntpsec/comm...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:	694748
Blocks:
	Show dependency tree

Reported:	2019-10-09 00:15 UTC by Alessandro Barbieri
Modified:	2020-04-16 07:49 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alessandro Barbieri 2019-10-09 00:15:23 UTC

Upstream provides a systemd unit that fixes the vulnerability since v1.1.0
https://github.com/ntpsec/ntpsec/commit/8459d15f8cf19a54cf149779d0d967883aa5c6b4
but the ebuild installs the old one
https://github.com/gentoo/gentoo/blob/master/net-misc/ntpsec/ntpsec-1.1.6.ebuild#L134

see https://bugs.gentoo.org/696896#c3 for a possible patch

Comment 1 Larry the Git Cow gentoo-dev

2019-10-26 17:51:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=def2c6ace829ce9e98c8963802a0b3baf916ac72

commit def2c6ace829ce9e98c8963802a0b3baf916ac72
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-26 17:49:47 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-26 17:50:54 +0000

    net-misc/ntpsec: update unit file to avoid CVE-2015-5300
    
    Bug: https://bugs.gentoo.org/697024
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-misc/ntpsec/files/ntpd-r1.service                 | 19 +++++++++++++++++++
 .../{ntpsec-1.1.7.ebuild => ntpsec-1.1.7-r1.ebuild}   |  2 +-
 net-misc/ntpsec/ntpsec-9999.ebuild                    |  2 +-
 3 files changed, 21 insertions(+), 2 deletions(-)

Comment 2 Yury German Gentoo Infrastructure

2020-03-19 20:32:22 UTC

Maintainer(s), please drop the vulnerable version(s).

GLSA Vote: No

Comment 3 NATTkA bot gentoo-dev

2020-04-12 19:29:21 UTC

Unable to check for sanity:

> dependent bug #694748 is missing keywords

Comment 4 NATTkA bot gentoo-dev

2020-04-13 14:40:53 UTC

Resetting sanity check; package list is empty or all packages are done.

Comment 5 Yury German Gentoo Infrastructure

2020-04-16 07:49:06 UTC

Cleanup is part of bug 694748
Thank you all for you work. 
Closing as [noglsa].